matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-08-06 06:02:40 +03:00
Code Activity

Backend work to support minimum password complexity (#2965)

Browse Source 
* config: Add minimum password complexity option

* PasswordManager: add function for checking if complexity is sufficient

* Enforce password complexity on registration, change and recovery

* cli: Use exit code 1 for weak passwords

This seems preferable to exit code 0, but ideally we should choose one
and document it.

* Expose minimum password complexity score over GraphQL
This commit is contained in:
reivilibre
2024-07-11 10:17:39 +01:00
committed by GitHub
parent 569eb07bd6
commit fbc360d1a9
25 changed files with 317 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
crates/cli/src/commands/config.rs
View File

@@ -12,6 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use std::process::ExitCode;
use anyhow::Context;
use camino::Utf8PathBuf;
use clap::Parser;
@@ -68,7 +70,7 @@ enum Subcommand {
}
impl Options {
pub async fn run(self, figment: &Figment) -> anyhow::Result<()> {
pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
use Subcommand as SC;
match self.subcommand {
SC::Dump { output } => {
@@ -139,6 +141,6 @@ impl Options {
}
}
Ok(())
Ok(ExitCode::SUCCESS)
}
}

6
crates/cli/src/commands/database.rs
View File

@@ -12,6 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use std::process::ExitCode;
use anyhow::Context;
use clap::Parser;
use figment::Figment;
@@ -34,7 +36,7 @@ enum Subcommand {
}
impl Options {
pub async fn run(self, figment: &Figment) -> anyhow::Result<()> {
pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
let _span = info_span!("cli.database.migrate").entered();
let config = DatabaseConfig::extract(figment)?;
let mut conn = database_connection_from_config(&config).await?;
@@ -46,6 +48,6 @@ impl Options {
.await
.context("could not run migrations")?;
Ok(())
Ok(ExitCode::SUCCESS)
}
}

6
crates/cli/src/commands/debug.rs
View File

@@ -12,6 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use std::process::ExitCode;
use clap::Parser;
use figment::Figment;
use http_body_util::BodyExt;
@@ -67,7 +69,7 @@ fn print_headers(parts: &hyper::http::response::Parts) {
impl Options {
#[tracing::instrument(skip_all)]
pub async fn run(self, figment: &Figment) -> anyhow::Result<()> {
pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
use Subcommand as SC;
let http_client_factory = HttpClientFactory::new();
match self.subcommand {
@@ -130,6 +132,6 @@ impl Options {
}
}
Ok(())
Ok(ExitCode::SUCCESS)
}
}

6
crates/cli/src/commands/doctor.rs
View File

@@ -17,6 +17,8 @@
//! The code is quite repetitive for now, but we can refactor later with a
//! better check abstraction
use std::process::ExitCode;
use anyhow::Context;
use clap::Parser;
use figment::Figment;
@@ -35,7 +37,7 @@ pub(super) struct Options {}
impl Options {
#[allow(clippy::too_many_lines)]
pub async fn run(self, figment: &Figment) -> anyhow::Result<()> {
pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
let _span = info_span!("cli.doctor").entered();
info!("💡 Running diagnostics, make sure that both MAS and Synapse are running, and that MAS is using the same configuration files as this tool.");
@@ -423,6 +425,6 @@ Error details: {e}"#
),
}
Ok(())
Ok(ExitCode::SUCCESS)
}
}

56
crates/cli/src/commands/manage.rs
View File

@@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use std::collections::BTreeMap;
use std::{collections::BTreeMap, process::ExitCode};
use anyhow::Context;
use clap::{ArgAction, CommandFactory, Parser};
@@ -34,7 +34,7 @@ use mas_storage::{
use mas_storage_pg::{DatabaseError, PgRepository};
use rand::{RngCore, SeedableRng};
use sqlx::{types::Uuid, Acquire};
use tracing::{info, info_span, warn};
use tracing::{error, info, info_span, warn};
use crate::util::{database_connection_from_config, password_manager_from_config};
@@ -69,7 +69,14 @@ enum Subcommand {
VerifyEmail { username: String, email: String },
/// Set a user password
SetPassword { username: String, password: String },
SetPassword {
username: String,
password: String,
/// Don't enforce that the password provided is above the minimum
/// configured complexity.
#[clap(long)]
ignore_complexity: bool,
},
/// Issue a compatibility token
IssueCompatibilityToken {
@@ -158,19 +165,27 @@ enum Subcommand {
/// Set the user's display name
#[arg(short, long, help_heading = USER_ATTRIBUTES_HEADING)]
display_name: Option<String>,
/// Don't enforce that the password provided is above the minimum
/// configured complexity.
#[clap(long)]
ignore_password_complexity: bool,
},
}
impl Options {
#[allow(clippy::too_many_lines)]
pub async fn run(self, figment: &Figment) -> anyhow::Result<()> {
pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
use Subcommand as SC;
let clock = SystemClock::default();
// XXX: we should disallow SeedableRng::from_entropy
let mut rng = rand_chacha::ChaChaRng::from_entropy();
match self.subcommand {
SC::SetPassword { username, password } => {
SC::SetPassword {
username,
password,
ignore_complexity,
} => {
let _span =
info_span!("cli.manage.set_password", user.username = %username).entered();
@@ -188,6 +203,11 @@ impl Options {
.await?
.context("User not found")?;
if !ignore_complexity && !password_manager.is_password_complex_enough(&password)? {
error!("That password is too weak.");
return Ok(ExitCode::from(1));
}
let password = password.into_bytes().into();
let (version, hashed_password) = password_manager.hash(&mut rng, password).await?;
@@ -199,7 +219,7 @@ impl Options {
info!(%user.id, %user.username, "Password changed");
repo.into_inner().commit().await?;
Ok(())
Ok(ExitCode::SUCCESS)
}
SC::VerifyEmail { username, email } => {
@@ -236,7 +256,7 @@ impl Options {
repo.into_inner().commit().await?;
info!(?email, "Email marked as verified");
Ok(())
Ok(ExitCode::SUCCESS)
}
SC::IssueCompatibilityToken {
@@ -284,7 +304,7 @@ impl Options {
"Compatibility token issued: {}", compat_access_token.token
);
Ok(())
Ok(ExitCode::SUCCESS)
}
SC::ProvisionAllUsers => {
@@ -309,7 +329,7 @@ impl Options {
repo.into_inner().commit().await?;
Ok(())
Ok(ExitCode::SUCCESS)
}
SC::KillSessions { username, dry_run } => {
@@ -427,7 +447,7 @@ impl Options {
txn.commit().await?;
}
Ok(())
Ok(ExitCode::SUCCESS)
}
SC::LockUser {
@@ -462,7 +482,7 @@ impl Options {
repo.into_inner().commit().await?;
Ok(())
Ok(ExitCode::SUCCESS)
}
SC::UnlockUser { username } => {
@@ -483,7 +503,7 @@ impl Options {
repo.user().unlock(user).await?;
repo.into_inner().commit().await?;
Ok(())
Ok(ExitCode::SUCCESS)
}
SC::RegisterUser {
@@ -495,6 +515,7 @@ impl Options {
no_admin,
display_name,
yes,
ignore_password_complexity,
} => {
let http_client_factory = HttpClientFactory::new();
let password_config = PasswordsConfig::extract(figment)?;
@@ -512,6 +533,15 @@ impl Options {
let txn = conn.begin().await?;
let mut repo = PgRepository::from_conn(txn);
if let Some(password) = &password {
if !ignore_password_complexity
&& !password_manager.is_password_complex_enough(password)?
{
error!("That password is too weak.");
return Ok(ExitCode::from(1));
}
}
// If the username is provided, check if it's available and normalize it.
let localpart = if let Some(username) = username {
check_and_normalize_username(&username, &mut repo, &homeserver)
@@ -722,7 +752,7 @@ impl Options {
warn!("Aborted");
}
Ok(())
Ok(ExitCode::SUCCESS)
}
}
}

4
crates/cli/src/commands/mod.rs
View File

@@ -12,6 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use std::process::ExitCode;
use camino::Utf8PathBuf;
use clap::Parser;
use figment::{
@@ -67,7 +69,7 @@ pub struct Options {
}
impl Options {
pub async fn run(self, figment: &Figment) -> anyhow::Result<()> {
pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
use Subcommand as S;
// We Box the futures for each subcommand so that we avoid this function being
// big on the stack all the time

6
crates/cli/src/commands/server.rs
View File

@@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use std::{collections::BTreeSet, sync::Arc, time::Duration};
use std::{collections::BTreeSet, process::ExitCode, sync::Arc, time::Duration};
use anyhow::Context;
use clap::Parser;
@@ -65,7 +65,7 @@ pub(super) struct Options {
impl Options {
#[allow(clippy::too_many_lines)]
pub async fn run(self, figment: &Figment) -> anyhow::Result<()> {
pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
let span = info_span!("cli.run.init").entered();
let config = AppConfig::extract(figment)?;
@@ -309,6 +309,6 @@ impl Options {
state.activity_tracker.shutdown().await;
Ok(())
Ok(ExitCode::SUCCESS)
}
}

6
crates/cli/src/commands/templates.rs
View File

@@ -12,6 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use std::process::ExitCode;
use clap::Parser;
use figment::Figment;
use mas_config::{
@@ -37,7 +39,7 @@ enum Subcommand {
}
impl Options {
pub async fn run(self, figment: &Figment) -> anyhow::Result<()> {
pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
use Subcommand as SC;
match self.subcommand {
SC::Check => {
@@ -66,7 +68,7 @@ impl Options {
templates_from_config(&template_config, &site_config, &url_builder).await?;
templates.check_render(clock.now(), &mut rng)?;
Ok(())
Ok(ExitCode::SUCCESS)
}
}
}

6
crates/cli/src/commands/worker.rs
View File

@@ -12,6 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use std::process::ExitCode;
use clap::Parser;
use figment::Figment;
use mas_config::{AppConfig, ConfigurationSection};
@@ -32,7 +34,7 @@ use crate::util::{
pub(super) struct Options {}
impl Options {
pub async fn run(self, figment: &Figment) -> anyhow::Result<()> {
pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
let span = info_span!("cli.worker.init").entered();
let config = AppConfig::extract(figment)?;
@@ -82,6 +84,6 @@ impl Options {
span.exit();
monitor.run().await?;
Ok(())
Ok(ExitCode::SUCCESS)
}
}